Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Gentoo :: tb10234.htm

zziplib: Buffer Overflow



zziplib: Buffer Overflow
zziplib: Buffer Overflow




--zaRBsRFn0XYhEU69
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200704-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/ 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: zziplib: Buffer Overflow
      Date: April 03, 2007
      Bugs: #171441
        ID: 200704-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=======
The zziplib library contains a buffer overflow vulnerability that could
lead to user-assisted remote execution of arbitrary code.

Background
=========
The zziplib library is a lightweight library for extracting data from
files archived in a single zip file.

Affected packages
================
    -------------------------------------------------------------------
     Package           /  Vulnerable  /                     Unaffected
    -------------------------------------------------------------------
  1  dev-libs/zziplib      < 0.13.49                        >= 0.13.49

Description
==========
dmcox dmcox discovered a boundary error in the zzip_open_shared_io()
function from zzip/file.c .

Impact
=====
A remote attacker could entice a user to run a zziplib function with an
overly long string as an argument which would trigger the buffer
overflow and may lead to the execution of arbitrary code.

Workaround
=========
There is no known workaround at this time.

Resolution
=========
All zziplib users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-libs/zziplib-0.13.49"

References
=========
  [ 1 ] CVE-2007-1614
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1614 

Availability
===========
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200704-05.xml 

Concerns?
========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at 
http://bugs.gentoo.org. 

License
======
Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5 

--zaRBsRFn0XYhEU69
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBRhLaLjvRww8BFPxFAQLdggf+PkhBafEMU+IMoX6f5E1ChXTTYTf5KZRY
QsMIKwuGGsHauENRaqqWTiFkMDYaQQfKGdLdJAbJuDkmVNbms3lzA2Bsh8fD+8f+
m3gR4p+sB8k6QKFMpGM7ZAldGeHA0d+kaIqIqsgOEaiuofWSu1ahRltCwvHOqHPJ
3WiGGgmtsR5df4UzgHGf9Kgs4I93hqzD2zTpA6Hvx7j9ozcxEW31HPIqub66b5Y8
WZSlpaBAZVTp8+aWqyxW95SfvgSgicSUTDp5caZyYv4lbwVrrIcLrbTMt6Q6409B
DC6OZCoFstHPV4TnCI79mUegfBnmcvw0I7N/vMaRnv5DXz6N3igAcw==S82f
-----END PGP SIGNATURE-----

--zaRBsRFn0XYhEU69--


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH